The Role of the Data Protection Officer (DPO)
One of the changes to be introduced under the General Data Protection Regulation (GDPR) is the requirement to appoint a data protection officer (DPO) in certain circumstances. Most firms are familiar with the role in general terms, but it’s imperative that firms take steps to ensure they are clear about whether they need to have one, and if they don’t, whether they should elect to have one.
If you appoint a formal DPO, they will need to be able to comply with the full range of obligations. If it is not mandatory for your firm to appoint a DPO, and you aren’t sure that they would be able to comply with the obligations – for example, in a small firm where there is not the scope to be able to employ a DPO who would be considered independent - you may decide not to appoint a formal DPO. It’s also important to be aware that in some cases, a processor will need a DPO – depending on who fulfils the criteria on mandatory designation; in short, all firms must be clear about whether they need to appoint to the role.
For firms who do need a DPO, how will the incoming Regulation impact on the role? Firstly, the DPO is expected to have expert knowledge of national and European data protection law and practices, and an in-depth knowledge of the GDPR. Determining the necessary level of expert knowledge is dependent upon the operations carried out and the protection required for the data being processed, and currently neither the GDPR nor the Article 29 Working Party offers any clearer definition on specific standards. The DPO should also be familiar with the business sector and processing operations of the firm itself.
Importantly, especially for smaller and medium sized firms, although Article 38(6) allows DPOs to ‘fulfil other tasks and duties’, these should not result in a conflict of interest. DPOs are expected to maintain a level of independence sufficient to allow them to undertake the role; this means that the DPO cannot then also hold a position in the company responsible for determining the purposes and means of processing personal data. In other words, a DPO must be independent of other senior management. The Working Party have offered guidance that conflicting positions may include Chief Executives, Chief Operating Officers, Chief Financial Officers, Head of Marketing, Head of HR, or Head of IT, but also other roles lower down the organisational structure if they also enable the determination of processing.
The role itself is to assist firms to comply with the law. The expected tasks of a DPO are set out in Article 39:
Inform and advise the controller or the processor and the employees who carry out processing of their obligations under the Regulation, and to any other relevant data protection provisions;
Monitor compliance with the GDPR and any other data protection provisions, and with any internal and external policies that the firm is bound by, including training of staff, assignment of responsibilities, awareness-raising, and the related audits.
To provide advice where requested as regards the data protection impact assessment and monitor its performance in line with Article 35
To cooperate with the supervisory authority (in this case, the Information Commissioner’s Office)
To act as the contact point for the supervisory authority on issues relating to processing and to consult, where appropriate, with regard to any other matter.
In addition, Article 39 states that the DPO shall ‘have due regard to the risk associated with processing operations taking into account the nature, scope, context and purposes of processing’.
Again, the Working Party has offered some useful guidance on what these should look like in practice. As part of the duty to monitor compliance, the DPO may: collect information to identify processing activities; analyse and check the compliance of processing activities; and inform, advise and issue recommendations to the firm. Monitoring of compliance does not mean the DPO is personally responsible for any instances of non-compliance; the GDPR makes it clear that it is the firm which has ultimate responsibility for measures to ensure the processing is performed with compliance.
This is mirrored in the guidance on the DPOs role in a data protection impact assessment (DPIA). Whilst it is the duty of the firm to carry out the DPIA, the DPO can, and should, assist the organisation. DPOs can offer useful knowledge and expertise on the question of whether a DPIA needs to be undertaken, recommended methodologies, appropriate safeguards to mitigate any risks to data subjects, and whether the DPIA has been carried out correctly.
DPOs also play an important role in record keeping. Whilst the ultimate responsibility for maintaining sufficient record systems lies with the organisation, it is recognised that DPOs create a wealth of records during their day-to-day tasks which can help firms to provide the information, should it be required by the supervisory authority. In addition, although ultimate responsibility rests with the firm, it may elect to assign responsibility for the maintenance of the records of processing operations – the record itself would be considered as part of the process enabling the DPO to perform compliance monitoring, or to inform and advise the firm.
With under 100 days to go until GDPR, firms should be clear on whether the role is mandatory for their organisation, or whether they would like to elect to appoint a formal DPO. Ultimately, the role is vital to ensure compliance with the new regulation – with the maximum fine available to the supervisory authority under GDPR set at €20 million, or 4% of the company’s annual turnover, whichever is higher – it pays to have the right person in the job. Check out our Services page to see how we can help your firm prepare for the new Regulation.